Re: SkoleLinux @ Chemnitzer Linuxtage
Hi Mike, On Sat, Jan 08, 2011 at 12:12:33AM +0100, Mike Gabriel wrote: > I am currently attending the Skolelinux meeting in Gütersloh which is > already a fine opportunity for me to gain an overview on Debian Edu and > people around it. Cool! Yes, I think joining those meetings is perfect. > (Kurt showed quite a lot of photos tonight that many of > you were on when talking about past events in 2010). So that was really > nice!!! :-) > There will probably other events that I will attend throughout the next > months... if Chemnitz will be a location to visit I cannot say, yet. While I regard Chemnitz as one of the best events I know (but for sure I do not know them all) the point is to compare your options. In Gütersloh you learn that SkoleLinux is great, but on those events you can meet other boothes. (I'm personally convinced that this will not lead to a different decision but it will ensure you that your decision was finally thoroughly thought.) Kind regards Andreas. -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110108073205.ga23...@an3as.eu
Your Bugzilla buglist needs attention.
[This e-mail has been automatically generated.] You have one or more bugs assigned to you in the Bugzilla bug tracking system (http://bugs.skolelinux.org/) that require attention. All of these bugs are in the NEW or REOPENED state, and have not been touched in 7 days or more. You need to take a look at them, and decide on an initial action. Generally, this means one of three things: (1) You decide this bug is really quick to deal with (like, it's INVALID), and so you get rid of it immediately. (2) You decide the bug doesn't belong to you, and you reassign it to someone else. (Hint: if you don't know who to reassign it to, make sure that the Component field seems reasonable, and then use the "Reassign bug to default assignee of selected component" option.) (3) You decide the bug belongs to you, but you can't solve it this moment. Just use the "Accept bug" command. To get a list of all NEW/REOPENED bugs, you can use this URL (bookmark it if you like!): http://bugs.skolelinux.org/buglist.cgi?bug_status=NEW&bug_status=REOPENED&assigned_to=debian-...@lists.debian.org Or, you can use the general query page, at http://bugs.skolelinux.org/query.cgi Appended below are the individual URLs to get to all of your NEW bugs that haven't been touched for a week or more. You will get this message once a day until you've dealt with these bugs! installer ignores mirror/http/proxy preseeding -> http://bugs.skolelinux.org/show_bug.cgi?id=1458 ignores mirror/http/hostname preseed -> http://bugs.skolelinux.org/show_bug.cgi?id=1459 -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1pbrqd-00056o...@maintainer.skolelinux.no
Re: Gosa vs. CipUX
Hi, Mike Gabriel wrote: > Hi Petter, hi Klaus, > > On Fr 07 Jan 2011 11:01:34 CET Petter Reinholdtsen wrote: > >> [Klaus Knopper] >>> Hi Petter, >> >> Hi. >> >>> Ok, here I am, at least for LINBO and italc-rlp. What do I need to >>> do now? >> >> I would suggest showing up on IRC to coordinate, to a test >> installation of the squeeze-test ISOs and figure out what need to >> change on the installed system to integrate the two tools to work out >> of the box (which I have no idea what is doing). When you know what >> need to change, see if this configuration / setup can be done using >> preseeding ( -> add preseeding settings to debian-edu-install), >> editing of existing files ( -> create cfengine rules in >> debian-edu-config cf/) or by adding extra files ( -> add them to >> debian-edu-config). If some script need to run during installation to >> dynamically adjust the setup at install time, a combination of these >> might be needed. >> >> When changes are done to the packages in svn, one of us with upload >> right can upload it into our test repository to get new ISOs for >> testing. > > as far as I know, LINBO is not in Debian at all and italc-rlp sounds > like a modification of the original italc software (which is already > packaged for Debian). > > Thus, as far as I understand, > > (1) some effort has to be put in filing an Debian ITP (intent to package > for Debian) for LINBO and > > (2) the Debian italc package and italc-rlp have to checked against each > other (I do not known about the differences of italc and italc-rlp and > their development history). There probably is some more communication > needed between upstream italc, italc-rlp and the package maintainer (if > these are three differnt parties)... > > I would love to see iTalc and LINBO move into Skolelinux... +1 Cheers C. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4d27c754.3020...@cipworx.org
Re: NFS4 and Kerberos
Hi Mike, On Sat, Jan 08, 2011 at 12:31:16AM +0100, Mike Gabriel wrote: > Hi Andi, > > On Fr 07 Jan 2011 10:41:41 CET "Andreas B. Mundt" wrote: > > >Take a look at > >http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/cf/cf.homes>, > >i.e. our exports file. If a machine want's to mount the home > >directories, it first has to be added to a netgroup that allows > >mounting the share. So if you walk into the school with your Laptop to > >fake an identity on the net, it will not work the first time, because > >your MAC address will be differerent from the machines in the netgroup > >you need the membership of. The next day you walk into school you > >will be better prepared, you modified the Laptop's MAC. Now, just > >plug off the machine you got the MAC from and use your Laptop > >instead with the nice user ID. I guess that's how current security is > >thought to be. ^^ Sorry, this was meant ironic, I should have put an ";-)" there ... > This setup is not really secure. If you have access to one of the > school computers (Skolelinux clients) you boot it, use ifconfig and > look up its IP. Then you shut the Skolelinux client down, take over > its IP (static IP, not DHCP) and then you can mount the NFS share(s) > on tjener. Ok, that's an even easier way. > And if you ask me: I would be quite happy about service principals > on each client. With service principal and user principal you gain > NFS access, without... you do not get access... I absolutely agree with you. Just don't know yet how to implement the automatic creation/distribution of the principals/keytabs. That's why I prefer a two steps approach, first implementing nfs4 with sec=sys and if that works nicely with the automounter, then trying the next step (sec=krb5X stuff). Perhaps it can be done in the same way as with the users, a script called after adding the machines in GOsa ... And there are perhaps open issues for the diskless clients ... > >So using sec=sys in NFS4 is the same as using NFS3 now. It doesn't > >help with the netgroups, but it also doesn't hurt. > > >>Netgroups are not too special... but you may be right about Netgroup > >>integration in WebGUI tools... > >> > > > >Yes, the GUI administration is the problem right now. > > For a flexible system having netgroups available (and configurable) > is always an advantage!!! So, if there is some work to be done, we > should try to include netgroups into the effort. I tried to implement some "proof of principle" for GOsa a while ago: http://lists.debian.org/debian-edu/2010/04/msg00124.html> (take a look at the picture :-) I think, that if there is support from someone with PHP knowledge and the project in general, something like that can be implemented in GOsa upstream in the long run: https://oss.gonicus.de/pipermail/gosa/2010-May/004547.html> > >Do you have access to a debian-edu setup? Maybe if you want to take a > >look, try a virtual setup with virt-manager + KVM (rsync the DVD image): > >http://wiki.debian.org/DebianEdu/HowTo/TestCDinstall> > >You need about a 25GiB image for Tjener+LTSPserver. > > My friend Andreas (www.logo-edv.de) in Kiel has provided me an 8 > core, 16gb Virt-Server that hums (well, it really hums quite > hummingly) in my home. There currently is a Debian Edu (lenny) setup > installed on it and I also tried a Debian Edu (squeeze) which, > however, partially failed. I used one of the nightly built ISOs > which might not be appropriate, though. If there are any ISO > recommendations for squeeze, I'll be happy to use those for setting > up a Debian squeeze Skolelinux. I (unfortunately) only use kvm so far. Please report installation failures especially on real hardware to the list or on irc, as we should do probably much more testing on real hardware. Not that in the end everything works in the "lab" but fails in "reality" ... Cheers, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110108002235.ga...@flashgordon
italc-rlp integration into Skolelinux (was: Re: LINBO & italc-rlp integration (Re: Gosa vs. CipUX))
Hi Klaus, Cc: to winnie AT debian DOT org, Deb Maintainer of iTalc... (2) the Debian italc package and italc-rlp have to checked against each other (I do not known about the differences of italc and italc-rlp and their development history). italc-rlp uses the same mecahnism and packaging as italc. So, this is probably also no big deal, though the key installation mechanism could be more elaborated. italc-rlp at http://rp.skolelinux.de/packages/italc/ . Since the original italc in Debian is kind of abandoned and italc2 is, as far as I know, not near to be usable, we made a fork of italc that contains our addons, which are examination mode and observer notifications plus a "loose interface" with cipux for internet access and examinee account management. Our package contains the necessary Conflicts: fields in order to just replace italc by italc-rpl cleanly, and works fine with Skolelinux as well as plain Debian. We also have a source patch of italc-rlp vs. italc, so it's quite easy to create italc-rlp from italc using a diff. The probably best way about iTalc in terms of Debian is to contact the package maintainer: Patrick Winnertz . I'll Cc: this mail to him... There probably is some more communication needed between upstream italc, italc-rlp and the package maintainer (if these are three differnt parties)... Martin Öhler who has been working on italc-rlp and its packaging, has discussed the issues with the italc authors, but these now seem to be busy developing italc2, which is not useful as development base for us right now. As far as I know iTalc development is now funded or at least supported by Univention in Bremen (personal communication with sales manager of Univention), this might well be iTalc v2, I don't know about the details. If iTalc v1 is really a dead end upstream then there might be an interest to take a look at your patches for iTalc-rlp by the Debian package maintainer. However, your patches make only sense for Debian if you will provide a similar functionality in iTalc v2. Otherwise your patches mean a dead end as well. Thus, finding an agreement with iTalc upstream (i.e. Tobias Dörffel) is a necessity anyway. Or simply fork iTalc completely and better call it something completely different by name and continue it in the future (with all the hassle this will comprise). Hmmm... not a trivial issue, probably... [this mail contained to subjects (LINBO and iTalc-rlp integration into SL), I split up this mail, but would like to leave the last part here...] We have an add-on CD containing LINBO and italc-rlp, which we use for school installation. Could you provide a link? I would love to see iTalc and LINBO move into Skolelinux... Me, too. It would be great if some people who have the power to make it happen, could attend our developer meeting in February in Zweibrücken/Germany. More about this later. Well, in terms of power, this wouldn't be. However, I already start thinking of meeting you guys there... Regards -Klaus Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpw8bztotZ0C.pgp Description: Digitale PGP-Unterschrift
LINBO integration into Skolelinux (was Re: LINBO & italc-rlp integration (Re: Gosa vs. CipUX))
Hi Klaus, On Fr 07 Jan 2011 21:40:44 CET Klaus Knopper wrote: For LINBO, we probably don't need to change anything in Skolelinux. LINBO consists of a kernel and an initial ramdisk für PXE booting a graphical imaging and direct boot console that handles various operating systems. It can be installed on any machine acting as DHCP-Server. Similar to LTSP there should be a build-system included that helps modifying kernel and initrd for LINBO clients. Also there should be tool that helps creating LINBO images that get run on the LINBO clients. Only if we want to install LINBO on Tjener in order to easily install and repair workstations in the same subnet, we could provide scripts that change the DHCP servers configuration. But I believe this can also be done manually. LINBO really just needs the two files in a new directory that should be accessible for tftpd. Where do the workstation images come from? How can they be included in Skolelinux??? For non-free OSses there should be a toolbox that helps to create those images. Wait... One thing missing in LINBO is automatic localisation yet, since it is quite monolithic, but this is not difficult to change. With localisation you mean translation of UI text phrases? Or something different? i18n/l18n support is of course welcome and probably a definite need and requirement for Debian Edu... Hopefully your primary language is English and German phrases are gettexted in... (1) some effort has to be put in filing an Debian ITP (intent to package for Debian) for LINBO and Creating a Debian package for the LINBO binaries with documentation and examples is easy. Creating a single source package from the 1.2 GB of sources is near to impossible. I don't know if this is a requirement. We have LINBO packages on http://rp.skolelinux.de/packages/linbo/, Of course, if LINBO wants to be included in Debian you definitely have to provide sources for your package. I do not think that Debian developers will be very happy about 1.2gb of code. Please also note: one of Debian's major policies is to avoid code duplications within the whole distribution. Without having seen your code base, I guess the 1.2gb could be reduced by far if you took advantage of sources and packages already available in Debian. Though, this is just a guess... (and should be a goal!!!). I will be happy to take a look at your LINBO link tomorrow and gain an overview on the 1.2gb of source code ;-) Good night from Gütersloh, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpmDjUjlToOW.pgp Description: Digitale PGP-Unterschrift
Re: NFS4 and Kerberos
Hi Andi, On Fr 07 Jan 2011 10:41:41 CET "Andreas B. Mundt" wrote: Take a look at http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/cf/cf.homes>, i.e. our exports file. If a machine want's to mount the home directories, it first has to be added to a netgroup that allows mounting the share. So if you walk into the school with your Laptop to fake an identity on the net, it will not work the first time, because your MAC address will be differerent from the machines in the netgroup you need the membership of. The next day you walk into school you will be better prepared, you modified the Laptop's MAC. Now, just plug off the machine you got the MAC from and use your Laptop instead with the nice user ID. I guess that's how current security is thought to be. This setup is not really secure. If you have access to one of the school computers (Skolelinux clients) you boot it, use ifconfig and look up its IP. Then you shut the Skolelinux client down, take over its IP (static IP, not DHCP) and then you can mount the NFS share(s) on tjener. And if you ask me: I would be quite happy about service principals on each client. With service principal and user principal you gain NFS access, without... you do not get access... So using sec=sys in NFS4 is the same as using NFS3 now. It doesn't help with the netgroups, but it also doesn't hurt. Netgroups are not too special... but you may be right about Netgroup integration in WebGUI tools... Yes, the GUI administration is the problem right now. For a flexible system having netgroups available (and configurable) is always an advantage!!! So, if there is some work to be done, we should try to include netgroups into the effort. Do you have access to a debian-edu setup? Maybe if you want to take a look, try a virtual setup with virt-manager + KVM (rsync the DVD image): http://wiki.debian.org/DebianEdu/HowTo/TestCDinstall> You need about a 25GiB image for Tjener+LTSPserver. My friend Andreas (www.logo-edv.de) in Kiel has provided me an 8 core, 16gb Virt-Server that hums (well, it really hums quite hummingly) in my home. There currently is a Debian Edu (lenny) setup installed on it and I also tried a Debian Edu (squeeze) which, however, partially failed. I used one of the nightly built ISOs which might not be appropriate, though. If there are any ISO recommendations for squeeze, I'll be happy to use those for setting up a Debian squeeze Skolelinux. Cheers, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpJJZZtTL4e2.pgp Description: Digitale PGP-Unterschrift
Re: SkoleLinux @ Chemnitzer Linuxtage
Hi Andreas, On Fr 07 Jan 2011 13:38:37 CET Andreas Tille wrote: Hi Mike, On Fri, Jan 07, 2011 at 10:58:12AM +0100, Mike Gabriel wrote: ... if it comes to the point that we offer and recommend Skolelinux to schools in Kiel (the evaluation process is not yet finished) I have no idea when you have to draw your final decision but as far as I know visiting the SkoleLinux booth at Chemnitzer Linuxtage (19./20.3.) is a good idea to learn more about the project. From my perspective (looking not from a school but rather from a Debian maintainers position which is interested in specific applications of Debian) the SkoleLinux / Debian Edu project is a very good example how Debian could be rolled out in real life for specific applications and it has turned out the Debian Edu was helpful and inspiring for the whole Debian project. I am currently attending the Skolelinux meeting in Gütersloh which is already a fine opportunity for me to gain an overview on Debian Edu and people around it. (Kurt showed quite a lot of photos tonight that many of you were on when talking about past events in 2010). So that was really nice!!! There will probably other events that I will attend throughout the next months... if Chemnitz will be a location to visit I cannot say, yet. Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpGMl6XVJXgx.pgp Description: Digitale PGP-Unterschrift
Re: Kerberos in a setup with several A-records to the same IP-address
Dear Sam, On Fr 07 Jan 2011 19:20:23 CET Sam Hartman wrote: I wrote a paper for the MIT Kerberos Consortium (kerberos.org) on integrating Kerberos into applications that goes through the DNS issues in reasonable detail. I recommend looking at that. It is somewhat developer rather than administrator focused, but will give you a good understanding. Note that ssh has some explicit options to manipulate what it does about DNS, but most other Kerberos applications do not. Could you be so kind and post a link or something? That would be great!!! Mike (active on the NFS4+Kerberos thread on debian-edu) -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpWQzs73mhZi.pgp Description: Digitale PGP-Unterschrift
LINBO & italc-rlp integration (Re: Gosa vs. CipUX)
Hi Mike, On Fri, Jan 07, 2011 at 04:57:44PM +0100, Mike Gabriel wrote: > Hi Petter, hi Klaus, > > On Fr 07 Jan 2011 11:01:34 CET Petter Reinholdtsen wrote: > > >[Klaus Knopper] > >>Hi Petter, > > > >Hi. > > > >>Ok, here I am, at least for LINBO and italc-rlp. What do I need to > >>do now? > > > >I would suggest showing up on IRC to coordinate, to a test ^^^ I'm an occasional visitor of #debian-edu, and will ping Petter when I get a chance. :-) > >installation of the squeeze-test ISOs and figure out what need to > >change on the installed system to integrate the two tools to work out > >of the box (which I have no idea what is doing). When you know what > >need to change, see if this configuration / setup can be done using > >preseeding ( -> add preseeding settings to debian-edu-install), For LINBO, we probably don't need to change anything in Skolelinux. LINBO consists of a kernel and an initial ramdisk für PXE booting a graphical imaging and direct boot console that handles various operating systems. It can be installed on any machine acting as DHCP-Server. Only if we want to install LINBO on Tjener in order to easily install and repair workstations in the same subnet, we could provide scripts that change the DHCP servers configuration. But I believe this can also be done manually. LINBO really just needs the two files in a new directory that should be accessible for tftpd. italc-rlp uses the same mecahnism and packaging as italc. So, this is probably also no big deal, though the key installation mechanism could be more elaborated. > >editing of existing files ( -> create cfengine rules in > >debian-edu-config cf/) or by adding extra files ( -> add them to > >debian-edu-config). If some script need to run during installation to > >dynamically adjust the setup at install time, a combination of these > >might be needed. > > > >When changes are done to the packages in svn, one of us with upload > >right can upload it into our test repository to get new ISOs for > >testing. > > as far as I know, LINBO is not in Debian at all and italc-rlp sounds > like a modification of the original italc software (which is already > packaged for Debian). > > Thus, as far as I understand, > > (1) some effort has to be put in filing an Debian ITP (intent to > package for Debian) for LINBO and Creating a Debian package for the LINBO binaries with documentation and examples is easy. Creating a single source package from the 1.2 GB of sources is near to impossible. I don't know if this is a requirement. We have LINBO packages on http://rp.skolelinux.de/packages/linbo/, and italc-rlp at http://rp.skolelinux.de/packages/italc/ . Wait... One thing missing in LINBO is automatic localisation yet, since it is quite monolithic, but this is not difficult to change. > (2) the Debian italc package and italc-rlp have to checked against > each other (I do not known about the differences of italc and > italc-rlp and their development history). Since the original italc in Debian is kind of abandoned and italc2 is, as far as I know, not near to be usable, we made a fork of italc that contains our addons, which are examination mode and observer notifications plus a "loose interface" with cipux for internet access and examinee account management. Our package contains the necessary Conflicts: fields in order to just replace italc by italc-rpl cleanly, and works fine with Skolelinux as well as plain Debian. We also have a source patch of italc-rlp vs. italc, so it's quite easy to create italc-rlp from italc using a diff. > There probably is some > more communication needed between upstream italc, italc-rlp and the > package maintainer (if these are three differnt parties)... Martin Öhler who has been working on italc-rlp and its packaging, has discussed the issues with the italc authors, but these now seem to be busy developing italc2, which is not useful as development base for us right now. We have an add-on CD containing LINBO and italc-rlp, which we use for school installation. > I would love to see iTalc and LINBO move into Skolelinux... Me, too. It would be great if some people who have the power to make it happen, could attend our developer meeting in February in Zweibrücken/Germany. More about this later. Regards -Klaus -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110107204044.gc2...@knopper.net
Re: Kerberos in a setup with several A-records to the same IP-address
I wrote a paper for the MIT Kerberos Consortium (kerberos.org) on integrating Kerberos into applications that goes through the DNS issues in reasonable detail. I recommend looking at that. It is somewhat developer rather than administrator focused, but will give you a good understanding. Note that ssh has some explicit options to manipulate what it does about DNS, but most other Kerberos applications do not. -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/tsl1v4omv88@mit.edu
Re: Gosa vs. CipUX
Hi Petter, hi Klaus, On Fr 07 Jan 2011 11:01:34 CET Petter Reinholdtsen wrote: [Klaus Knopper] Hi Petter, Hi. Ok, here I am, at least for LINBO and italc-rlp. What do I need to do now? I would suggest showing up on IRC to coordinate, to a test installation of the squeeze-test ISOs and figure out what need to change on the installed system to integrate the two tools to work out of the box (which I have no idea what is doing). When you know what need to change, see if this configuration / setup can be done using preseeding ( -> add preseeding settings to debian-edu-install), editing of existing files ( -> create cfengine rules in debian-edu-config cf/) or by adding extra files ( -> add them to debian-edu-config). If some script need to run during installation to dynamically adjust the setup at install time, a combination of these might be needed. When changes are done to the packages in svn, one of us with upload right can upload it into our test repository to get new ISOs for testing. as far as I know, LINBO is not in Debian at all and italc-rlp sounds like a modification of the original italc software (which is already packaged for Debian). Thus, as far as I understand, (1) some effort has to be put in filing an Debian ITP (intent to package for Debian) for LINBO and (2) the Debian italc package and italc-rlp have to checked against each other (I do not known about the differences of italc and italc-rlp and their development history). There probably is some more communication needed between upstream italc, italc-rlp and the package maintainer (if these are three differnt parties)... I would love to see iTalc and LINBO move into Skolelinux... Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpJD3AEI7Rdc.pgp Description: Digitale PGP-Unterschrift
Kerberos in a setup with several A-records to the same IP-address
Hello all, allow me to contact the enterprise list (Cc: debian-edu), because here are probably some experts around that can help with the following issue: When working on the integration of Kerberos for debian-edu, I encountered the following problem: My DNS provides several A-records for the IP-address of my KDC (which provides some more services), i.e. the host command returns: r...@tjener:~# host 10.0.2.2 2.2.0.10.in-addr.arpa domain name pointer tjener.intern. 2.2.0.10.in-addr.arpa domain name pointer kerberos.intern. 2.2.0.10.in-addr.arpa domain name pointer ldap.intern. 2.2.0.10.in-addr.arpa domain name pointer domain.intern. 2.2.0.10.in-addr.arpa domain name pointer postoffice.intern. 2.2.0.10.in-addr.arpa domain name pointer syslog.intern. There are host and service tickets for tjener.intern only. If I try to fetch a service ticket now, in 5 of 6 cases I get an error in the logs because a principal like nfs/syslog.int...@intern is missing. Only if the KDC is asked (by chance (?)) for nfs/tjener.int...@intern, things work as they should. (Some more detail here: http://lists.debian.org/debian-edu/2011/01/msg00041.html>) My questions are now: Can I use several A-records in combination with Kerberos and if yes, how? Is there a commen way of setting up the (Kerberos-) system with regard to the DNS, i.e. are there some "best practices" or recommendations? Many thanks in advance, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110107143052.ga26...@flashgordon
Re: Gosa vs. CipUX
On Fri, Jan 07, 2011 at 10:49:32AM +0100, Klaus Knopper wrote: Hi Petter, On Fri, Jan 07, 2011 at 10:40:38AM +0100, Petter Reinholdtsen wrote: [Klaus Knopper] > OK. I finally understand, partly. So, every project that wants to > be integrated into Skolelinux, needs to migrate or duplicate its > sources to the "Skole-SVN". Nope, that is a misunderstanding. Only the code needed in the debian-edu-config package to integrate with the packages in Debian need to go into the Skolelinux SVN. Well, it was the second time that someone answered my question in a way that sounded like the main requirement was to use the Skole-SVN for packages in order to get something integrated. It convinced me, somewhat. ;-) Well, we were talking about CipUX, for which the main _remaining_ requirement indeed is to use the Skole-SVN. Reason for this is that particularly for CipUX the task of packaging officially for Debian is (mostly) done by now, largely thanks to Skolelinux Rheinland-Pfalz project contributions and encouragements! - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Re: Gosa vs. CipUX
On Fri, Jan 07, 2011 at 10:58:12AM +0100, Mike Gabriel wrote: However, Andreas and I (or whoever else joins in for CipUX/SL or Gosa/SL) should then heavily coordinate our work and make sure even if working on two separate systems that we benefit from each others' work AMAP. Yes! Best way to ensure most Skolelinux users benefit from local improvements is to a) use the standard Skolelinux [DIT] whenever possible, and b) when not possible then coordinate any and all changes with Skolelinux developers - and consider stepping up to get involved yourself in developing Skolelinux. Best way to ensure most Linux users benefit from local improvements is to a) use standard Debian packages whenever possible, and b) when not possible then coordinate any and all packaging development with Debian developers to ensure getting most possible of it into Debian - and consider stepping up and get involved yourself in developing Debian (no, you need not become an official Debian Developer to do that!). (just in case it is not obvious to everyone still) Kind regards, - Jonas [DIT]: LDAP Data Information Tree - which should *not* (as is common for SQL databases) be dictated by the LDAP-using technical services, but instead ideally be modelled after the administrative structure of the underlying organization, i.e. the school. -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
SkoleLinux @ Chemnitzer Linuxtage
Hi Mike, On Fri, Jan 07, 2011 at 10:58:12AM +0100, Mike Gabriel wrote: > ... if it comes to the point that we offer and > recommend Skolelinux to schools in Kiel (the evaluation process is not > yet finished) I have no idea when you have to draw your final decision but as far as I know visiting the SkoleLinux booth at Chemnitzer Linuxtage (19./20.3.) is a good idea to learn more about the project. From my perspective (looking not from a school but rather from a Debian maintainers position which is interested in specific applications of Debian) the SkoleLinux / Debian Edu project is a very good example how Debian could be rolled out in real life for specific applications and it has turned out the Debian Edu was helpful and inspiring for the whole Debian project. > However, Andreas and I (or whoever else joins in for CipUX/SL or > Gosa/SL) should then heavily coordinate our work and make sure even if > working on two separate systems that we benefit from each others' work > AMAP. Definitely. Kind regards Andreas. -- http://fam-tille.de -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110107123837.ga14...@an3as.eu
Re: Gosa vs. CipUX
[Klaus Knopper] > Hi Petter, Hi. > Ok, here I am, at least for LINBO and italc-rlp. What do I need to > do now? I would suggest showing up on IRC to coordinate, to a test installation of the squeeze-test ISOs and figure out what need to change on the installed system to integrate the two tools to work out of the box (which I have no idea what is doing). When you know what need to change, see if this configuration / setup can be done using preseeding ( -> add preseeding settings to debian-edu-install), editing of existing files ( -> create cfengine rules in debian-edu-config cf/) or by adding extra files ( -> add them to debian-edu-config). If some script need to run during installation to dynamically adjust the setup at install time, a combination of these might be needed. When changes are done to the packages in svn, one of us with upload right can upload it into our test repository to get new ISOs for testing. I'm happy to answer quick questions on IRC. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110107100134.gg2...@login1.uio.no
Re: Gosa vs. CipUX
Hi Christian, On Fr 07 Jan 2011 03:18:03 CET Christian Kuelker wrote: Hi, Mike Gabriel wrote: [...] To me this feels like I digged out quite an issue here... It may be good to come together on e.g. IRC and discuss a common strategy on this, doesn't it? Yes it is some issue, but I think it is OK to mention it. I personally do not feel it make sense to have a discussion. Until no one is working on CipUX in the Skole SVN, Gosa will make it. Point. If there are people who want to work on this, they can start. And if a conflict arise we definitely should have a discussion. It surely does not feel like making any sense if people code into different directions without focusing on a common intention. I do not think that it is coding in different direction. There is only one direction: the layout of the Skolelinux LDAP server. However that looks like, Gosa and CipUX can be attached to it. The problem at the moment is, that this layout is not fixed. Sometimes I find it important that the end user should have a choice. I especially like providing choice to users!!! About CipUX integration... if it comes to the point that we offer and recommend Skolelinux to schools in Kiel (the evaluation process is not yet finished) then I can imagine starting to contribute to an administration frontend for SL. Currently, I am fascinated by CipUX, but for our original (self-made) school project ,,IT-Zukunft Schule'' we also would have chosen Gosa (as I had not known about CipUX so far). However, Andreas and I (or whoever else joins in for CipUX/SL or Gosa/SL) should then heavily coordinate our work and make sure even if working on two separate systems that we benefit from each others' work AMAP. Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0x1943CA5B mail: m.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpsK4NEEAB2P.pgp Description: Digitale PGP-Unterschrift
Re: Gosa vs. CipUX
Hi Petter, On Fri, Jan 07, 2011 at 10:40:38AM +0100, Petter Reinholdtsen wrote: > [Klaus Knopper] > > OK. I finally understand, partly. So, every project that wants to be > > integrated into Skolelinux, needs to migrate or duplicate its > > sources to the "Skole-SVN". > > Nope, that is a misunderstanding. Only the code needed in the > debian-edu-config package to integrate with the packages in Debian > need to go into the Skolelinux SVN. Well, it was the second time that someone answered my question in a way that sounded like the main requirement was to use the Skole-SVN for packages in order to get something integrated. It convinced me, somewhat. ;-) > To get an idea what the gosa integration stuff in the Skolelinux SVN > is, look at the files in the ldap-* directories in the > debian-edu-config package in svn, > svn://svn.debian.org/debian-edu/trunk/src/debian-edu-config . I have seen this before. > If the packages in question are missing in Debian, a different > approach will be needed, but in general we want to avoid having > non-Debian packages in Skolelinux. Understandable. > In general what is needed to integrate a new feature / system into > Skolelinux is a person with time and interest in doing the work as > part of the Skolelinux development team to get the feature integrated > into the out of box configuration, and packages in Debian implementing > the feature. For gosa we have/had Andreas. For the other options we > have so far had none. Ok, here I am, at least for LINBO and italc-rlp. What do I need to do now? Regards -Klaus -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110107094932.gi13...@knopper.net
Re: NFS4 and Kerberos
Hi, On Thu, Jan 06, 2011 at 10:13:12PM +0100, Mike Gabriel wrote: > Hi Andreas, > > On Do 06 Jan 2011 12:12:35 CET "Andreas B. Mundt" wrote: [...] > > Each client needs a Kerberos setup as well. Is this also already > coded somewhere? I am sorry that I cannot remember exactly which of > the services (PAM, NFS, ...) was DNS and host principal critical, > but a healthy Kerberos setup cannot be setup up with host principals > on every client. Same for NFS4 sec=krb5p or sec=krb5i. > The client setup is also implemented, iirc it only needs preseeding of the corresponding Kerberos packages. (We might need to add a cf-rule to have allow_weak_encryption = true in /etc/krb5.conf on the clients). > >With this setup, users are authenticated to the system via a Kerberos > >TGT, which works. > > I think PAM alone was quite handsome and did not require host > principals when I set up my servers... > Iirc this is how it's done already. So far we have no (and need no) host principals (only for the services on tjener). [...] > >My hope was, that by using Kerberos in combination with nfs4, the > >machine management would simplify and we could get rid of IP- and > >netgroup based "security". > > What exactly do you mean by this netgroup based ,,security'' (please > execuse that I have not dived into the details of the lenny-tjener > that deep)? see below > > The problem about NFSv3 or NFSv4 with sec=sys is: I come to some > school with my linux netbook, create a local user account with a > uidNumber of some interesting account on tjener and then I mount the > user's home dir on my netbook with rw-access. > Take a look at http://svn.debian.org/wsvn/debian-edu/trunk/src/debian-edu-config/cf/cf.homes>, i.e. our exports file. If a machine want's to mount the home directories, it first has to be added to a netgroup that allows mounting the share. So if you walk into the school with your Laptop to fake an identity on the net, it will not work the first time, because your MAC address will be differerent from the machines in the netgroup you need the membership of. The next day you walk into school you will be better prepared, you modified the Laptop's MAC. Now, just plug off the machine you got the MAC from and use your Laptop instead with the nice user ID. I guess that's how current security is thought to be. So using sec=sys in NFS4 is the same as using NFS3 now. It doesn't help with the netgroups, but it also doesn't hurt. > However, netgroups are really quite handy, because amongst others > they allow the group of hosts in a way that can be pulled down on > libnss level (with usage scenario e.g. with pam_access.so and > /etc/security/access.conf). Whereas netgroups can help you to set up > the on-site-systems in a versatile manner, it does not protect you > against people bringing in their own devices (like my netbook). > > >(Which would also resolve the need for very > >special administrative tools). > > Netgroups are not too special... but you may be right about Netgroup > integration in WebGUI tools... > Yes, the GUI administration is the problem right now. Do you have access to a debian-edu setup? Maybe if you want to take a look, try a virtual setup with virt-manager + KVM (rsync the DVD image): http://wiki.debian.org/DebianEdu/HowTo/TestCDinstall> You need about a 25GiB image for Tjener+LTSPserver. Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110107094141.ga7...@flashgordon
Re: Gosa vs. CipUX
[Klaus Knopper] > OK. I finally understand, partly. So, every project that wants to be > integrated into Skolelinux, needs to migrate or duplicate its > sources to the "Skole-SVN". Nope, that is a misunderstanding. Only the code needed in the debian-edu-config package to integrate with the packages in Debian need to go into the Skolelinux SVN. To get an idea what the gosa integration stuff in the Skolelinux SVN is, look at the files in the ldap-* directories in the debian-edu-config package in svn, svn://svn.debian.org/debian-edu/trunk/src/debian-edu-config . If the packages in question are missing in Debian, a different approach will be needed, but in general we want to avoid having non-Debian packages in Skolelinux. In general what is needed to integrate a new feature / system into Skolelinux is a person with time and interest in doing the work as part of the Skolelinux development team to get the feature integrated into the out of box configuration, and packages in Debian implementing the feature. For gosa we have/had Andreas. For the other options we have so far had none. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110107094038.gd2...@login1.uio.no
Re: Gosa vs. CipUX
On Fri, Jan 07, 2011 at 02:39:42AM +0100, Christian Kuelker wrote: > Hi, > > Klaus Knopper wrote: > [...] > > Sorry for potentially making this discussion longer than it should be... > > Would you please explain to me, again, what "the CipUX people" have to > > do, or failed to do, in order to get their working packages integrated > > into Skolelinux? I think "the CipUX poeple" really _want_ to have their > > stuff integrated into Skolelinux, but apparently don't know how the > > magic is going to happen. > > Someone has to work closely with the international project together > by means of skole-SVN to add the CipUX package to the package list > of Skolelinux (in SVN) and to add specific configuration changes of > the Skolelinux configuration to the Skole-SVN. OK. I finally understand, partly. So, every project that wants to be integrated into Skolelinux, needs to migrate or duplicate its sources to the "Skole-SVN". This is somewhat new to me, though I believed this has been said before by someone, but it wasn't entirely clear. At least, I was not aware of this requirement. So this now means that I will find each and every package that is present on the Skolelinux DVD, in the "Skole-SVN", including packages that are already in Debian right? Either way, if nobody copies the current packageable versions CipUX over to the required Skole-SVN, I now understand why it is not in Skolelinux. So, it is indeed a problem of "the CipUX people". This provides interesting opportunities, now that I know all that. I would volunteer to integrate LINBO into Skolelinux, which we already made a package for, for our Skolelinux installations. We have 1.2 GB of sources for LINBO in our SVN on sourceforge, and about 800 MB of changes are ahead for kernel 2.6.37 (LINBO needs the complete kernel, libc, embedded QT, some utilities, all licensed under GPL, in order to be rebuilt from scratch, while the package itself would only require the two resulting kernel/initrd binaries of 20MB to be built). Can I just transfer them over to the Skole-SVN and rebase my working checkout? The same applies for italc-rlp, though the source for this is not that huge. We can temporarily strip CipUX-Support from italc-rlp in order to get rid of the dependency. Can I get an SVN account for Skole-SVN for doing the integration? > After this the building of DVD and possible installations problems > have to be observed and fixed if needed. Great. I assume there is a process for this that will notify the project maintainers about what they have to do in order to fix integration problems. > No person is assigned to this task, so there is no progress. Since I am not involved in CipUX, but in LINBO and italc-rlp, I would like to get assigned to the task of integrating the latter two into the Skole-SVN and into Skolelinux. What do I have to do, where do I apply? > I can help such person, but I can not be the person. (I do not have > so much time - and I am traveling always so I have no lab either.) I understand. No pressure. It is just sad that Skolelinux is in desperate need of a LDAP middleware, and CipUX could surely be a good choice, but though so many people (including me) are nagging, nobody can or wants to do the deed. Makes me think there may be a flaw in the system somewhere. ;-) Regards -Klaus -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110107092204.gf13...@knopper.net
